What is the GDPR?
The EU General Data Protection Regulation is the EU’s most important data and privacy policy change in the past 20-years. GDPR was approved by the EU Parliament on April 14, 2016, with an effective date of May 25, 2018. GDPR will replace the Data Protection Directive 95/36/EC, in an effort to create concerted privacy laws throughout the EU, increase privacy protections for citizens, and limit the ways in which companies can collect personal data. With every other story in the news dealing with privacy concerns, data breaches; and major class actions stemming from these cybersecurity missteps against big name companies; data privacy is imperative for all companies to prioritize. The GDPR goes into effect on May 25, 2018. Is your company ready?
Who is Impacted by GDPR?
Many US companies are asking if they are impacted by GDPR--and the answer is yes, US companies are liable to GDPR provisions in many instances. In fact, an important piece of GDPR is understanding who is impacted by GDPR, and the geographical scope is much larger than it may seem at first brush. GDPR provides data protection and privacy for EU citizens, and it applies to all companies who are offering goods and services to the EU. So even if your company is not based in the EU, you are liable to the regulations if you are collecting data from EU citizens, even if no financial transaction takes place. If your company is collecting any kind of PII--Personally Identifiable Information--from EU citizens, the broader scope of the law kicks in.
An Explanation of Some Key GDPR Terminology
In order to comply with the provisions of GDPR, it’s important to understand the data terminology used by the regulations. Below are some of the major terms, defined.
- Rec.26; Art.4(1) "Personal data" means any information relating to an identified or identifiable natural person ("data subject") Data protection laws in the EU only apply to personal data.
- an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- This means for certain organizations, who collect location data, online identifiers and genetic data which will fall within the definition of "personal data" may result in additional compliance obligations (e.g., for businesses that target by location, like some advertisers, and many types of cookies become personal data under the GDPR. Certain cookies constitute "online identifiers".
- Rec.26; Art.4(7) Data Controller "Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws. In other words, the controller is the owner or receiver of the personal data and who essentially instructs the processor what they should do with the data.
- Rec.26; Art.4(8) Data Processor "Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The “processor” is the entity that collects, records, organizes, structures, stores, uses, transmits or even destroys personal data at the request or direction of the data “controller. The board definition of “processor” under GDPR includes most U.S. companies that receive data, from any source, that personally identifies EU subjects.
Who is a Data Processor and Who is a Data Controller?
A scenario, if your company XXX, sells a product to EU consumers and uses Ape Bulk emailing system to email EU clients or potential clients on behalf of XXX and Ape tracks readership and engagement, and other email activity data, your company XXX is the data controller, and Ape Bulk emailing system is the data processor. This can be construed even broader if your firm has a website which EU subjects can access, the personal data regulations may be triggered if you have any type of readership analytics associated with your website.
Whether your company is a data controller or data processor matters, but you’re not off the hook for GDPR compliance if you are a data controller. Generally, GDPR treats the data controller as the responsible principal party for collecting consent, managing the revoking of consent, and enabling data access. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers. However, Article 28 Sec requires data controllers to select only those data processors that can provide sufficient guarantees that the processor will comply with the GDPR and implement “appropriate technical and organizational measures” to protect the data. So controllers are legally obligated to select processors that are prepared for GDPR compliance.
Data processing under GDPR extends to several activities. These include operation(s) of personal data or sets of personal data, to include storing data, retrieval, erasure or destruction, or otherwise adapting or altering data sets. The use of legal contracts in a business setting, collection of employee information to provide to government agencies for tax filing (or other purposes), performing an internal administrative process (internal payroll services), or processing data to collect payment information, are some instances when data processors and controllers may process data, without the data subject’s consent. This applies regardless of industry-sector.
To be clear, while data processors are doing the work of complying with privacy regulations, data controllers are liable for selecting data processors that can comply with those regulations. If the Data Processor does not adequately perform the tasks required by GDPR, the Data Controller is responsible-and liable. Liable to the tune of Up to €20 million… or four percent of your total worldwide annual turnover of the previous financial year, whichever is higher.
Will the UK Be Affected by GDPR with the Impending Brexit Split?
As previously discussed, any company which operates in the EU, sells to EU residents, or collects data, privacy, and personal information from EU citizens will be subject to GDPR. Although Brexit has been finalized, UK companies are still affected by GDPR, as the UK will remain a member-state through March 2019.
Once Brexit occurs, the UK will be treated as a third-party country, which will still be affected by GDPR policies, if the country engages in the collection of personal information, research, or other services with EU-member state residents.
Takeaways
GDPR is meant to synthesize data regulations across the EU, to create a more hospitable environment for business by making data requirements uniform--to smooth out data transfers across the European Union. Along with making the requirements consistent, the regulation is also designed to make sure EU citizens are offered a high level of data protection in today’s privacy-conscious world. Ultimately, these regulations are designed to facilitate business in the EU, and many analysts believe that the regulations--while initially onerous--will ultimately benefit businesses operating in the digital sphere.
In the meantime, compliance is essential. In our next installment, we will look at cookie disclosures and contract requirements, to help data Controllers make sure data processors are compliant. In our third installment, we will take a look at breach notification requirements under GDPR.